Re: [TLS] tls 1.3: renegotiation

Martin Thomson <martin.thomson@gmail.com> Mon, 28 July 2014 23:05 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B39A1A0347 for <tls@ietfa.amsl.com>; Mon, 28 Jul 2014 16:05:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wMIx7uFtyDXZ for <tls@ietfa.amsl.com>; Mon, 28 Jul 2014 16:05:46 -0700 (PDT)
Received: from mail-wg0-x232.google.com (mail-wg0-x232.google.com [IPv6:2a00:1450:400c:c00::232]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E0F0D1A0318 for <tls@ietf.org>; Mon, 28 Jul 2014 16:05:45 -0700 (PDT)
Received: by mail-wg0-f50.google.com with SMTP id n12so8128285wgh.9 for <tls@ietf.org>; Mon, 28 Jul 2014 16:05:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=QgpjcAps+CL8gXMyYpatptjjZ2YWoFZRxEwVZGf3BEU=; b=Ui6MHYdhQiXcB9KPy+EU+NpZbx2gyucnmkH0UtYS0LhiB+uNjcr3sLoLCqI3gMQD3t 5DiFS+hJt4tbrjcvLNZE4Y7nCl6RbkGbftTiG70+kItCtQREIFJatJemxqDYIi02Ists X1GQeUXJa7aEmumG0pD6ZuGsVfCe4SlMEsERBLXxdN0WToPJAp0+UVgrI2B8GWr51s05 LPx9DL8VQitf0NOWDxOVhMLZCwvB25vVxcvN/BV8HtuyzIk++IhnnVqwZHn2f8gf+Poz mtp9RmCeOCrWsbsdw1Zlb7dygKoXXHH3sGoNOnuMqACgefKk92d0YCIBtmsTWROf4EAp IQbg==
MIME-Version: 1.0
X-Received: by 10.194.185.238 with SMTP id ff14mr54842263wjc.9.1406588744440; Mon, 28 Jul 2014 16:05:44 -0700 (PDT)
Received: by 10.194.110.6 with HTTP; Mon, 28 Jul 2014 16:05:44 -0700 (PDT)
In-Reply-To: <52de31491a51434ca4dc6cbbdda1d004@BL2PR03MB419.namprd03.prod.outlook.com>
References: <7C3D5CF9-2B17-4953-A13D-C5E7226D13E7@ieca.com> <CABqy+so=yV9Gp8aCp3cJ8wQRmd6JC-J9raEzgw1c1UDdFT2=JQ@mail.gmail.com> <da5c2db0d5c248d196333718e5674685@BL2PR03MB419.namprd03.prod.outlook.com> <CABkgnnU5dg3icMwOZ95nY-L=LP0yNB-dU5t5KUVOC1WdfsL4zw@mail.gmail.com> <52de31491a51434ca4dc6cbbdda1d004@BL2PR03MB419.namprd03.prod.outlook.com>
Date: Mon, 28 Jul 2014 16:05:44 -0700
Message-ID: <CABkgnnUXzycXMXY2=p9S0AgG6d08qrj0zUCNg6-LOaFOOWbroA@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
To: Andrei Popov <Andrei.Popov@microsoft.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/2gG-uxqfKhG9PsOvZ0NhSLlIgrU
Cc: "TLS@ietf.org \(tls@ietf.org\)" <tls@ietf.org>
Subject: Re: [TLS] tls 1.3: renegotiation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Jul 2014 23:05:47 -0000

On 28 July 2014 15:24, Andrei Popov <Andrei.Popov@microsoft.com> wrote:
> Are you saying that because HTTP/2 designers chose to ban renegotiation, the customers no longer need to perform TLS client auth in the middle of a connection? Perhaps I'm missing this point.
>
>> And it's not that alternatives don't exist, it's more the case that we disagree on the viability aspects, I think.
> The alternatives would need to address all the combinations of TLS and HTTP versions (and I believe the alternatives proposed so far don't). Also, there should be some way to encapsulate the alternatives such that sites don't need to fork client auth code for different TLS + HTTP version combinations.

That's fairly straightfoward.  My strawman proposal is
protocol-version-agnostic.

> Next, it is not desirable to add latency compared with the existing solution. And if we can get this to work for all application protocols (not just HTTP), even better. Hopefully the result will prove to be worth the design and implementation effort:).

I'm less sensitive to latency in these cases.  With a 0-RTT handshake,
it could be that HTTP/2 on a new connection would be faster than what
currently occurs, since from the point of HelloRequest, the server
needs to wait for two RTT from the client before it can send data.
(If the request contains a body that doesn't fit into the first flight
congestion window, then I might concede that it is slower.)